Email Us

Threat Advisory: Mirai Botnet

Author: Chad Seaman

Overview

Much is already known about the Mirai botnet, due to a thorough writeup by Malware Must Die as well as a later publicly distributed source-code repository. This advisory provides information about attack events and findings prior to the Mirai code release as well as those occurring following its release. The advisory will also summarize pertinent research data and ultimately the processes that led to the associated findings. Signatures observed in real-world attacks are also included and may aid in the future detection and mitigation of Mirai-based attacks.

Attack Events Timeline, Statistics, & Signatures

Mirai attack signatures were first observed in attacks against a security blog run by journalist Brian Krebs. The first attack, in the series of four, peaked at 623 Gbps. The timeline below represents the four attacks mitigated by Akamai.

Figure 1: First series of observed Mirai attacks launched against Brian Krebs

Just days after this series of DDoS attacks, the source code for Mirai was made public. The next timeline represents the bandwidth in gigabits per second for Mirai-confirmed attacks occurring after this code was released. The bandwidth peak, although still substantial, has been observed at mostly under 100 Gbps in later attacks. In addition, most of the attacks were under 30 million packets per second.

Figure 2: Timeline of attacks that Akamai mitigated following the Mirai code release

The only attack peaking at just over the 30 million packet-per-second mark was the 261 Gbps attack on October 11. The overall lower packet rates can be attributed for the most part to the extra padding in many of the Mirai attacks seen so far. Most of these attack events used vectors with payloads padded with at least 512 bytes of data. These larger packets, while able to consume more bandwidth, typically have a lower packet throughput.

Akamai secures and delivers digital experiences for the world’s largest companies. Akamai’s intelligent edge platform surrounds everything, from the enterprise to the cloud, so customers and their businesses can be fast, smart, and secure. Top brands globally rely on Akamai to help them realize competitive advantage through agile solutions that extend the power of their multi-cloud architectures. Akamai keeps decisions, apps, and experiences closer to users than anyone — and attacks and threats far away. Akamai’s portfolio of edge security, web and mobile performance, enterprise access, and video delivery solutions is supported by unmatched customer service, analytics, and 24/7/365 monitoring. To learn why the world’s top brands trust Akamai, visit www.akamai.com, blogs.akamai.com, or @Akamai on Twitter. You can find our global contact information at www.akamai.com/locations.